Splunk Enterprise must use TLS 1.2 and SHA-2 or higher cryptographic algorithms.
An XCCDF Rule
Description
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. Splunk Enterprise, by default, is compliant with this requirement. But since the settings can be overridden, the check and fix text in this requirement is necessary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-251689r961896_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Edit the following files in the $SPLUNK_HOME/etc/system/local folder:
inputs.conf : Fix is applicable to the indexer which may be a separate machine in a distributed environment.
Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or be removed: